Data is a crucial resource of any organization, and if it is lost, compromised, or stolen, the effects on the business can be devastating. You need to have systems in place to protect data — whether at rest or in transit — from unauthorized access.
Data at rest is stored physically, for example, in a database, data warehouse, tapes, off-site backups, or on mobile devices. Organizations can use encryption to fight threats to their data at rest. Encrypting data protects information from disclosure even if that information is lost or stolen.
Data that is moving from one place to another — for instance when it is transmitted over the Internet—is referred to as data in transit or data in motion. Encryption methods like HTTPS, SSL, and TLS are often used to protect data in motion.
In this document, we show you a solution-oriented approach to protect your data — whether your data is at rest or in transit. This approach covers how to encrypt data at rest (files, objects, storage) and in motion, as well as solutions to monitor data activity to verify and audit data that is outsourced to the cloud.Key components of data security that you should account for in your cloud solution include:
- Data protection
- Data integrity
- Data classification and data activity monitoring
- Data privacy and regulations
A data protection solution for your cloud environment should offer data encryption, data access control, key management, and certification management.
To create secure data protection, you need to consider the following options that are available to customers and users:
- Data-at-rest encryption in IBM® Cloud®
- Block and file storage encryption services using IBM Cloud Data Encryption Services
- IBM Key Protect
- Object store encryption using IBM® Cleversafe®
- Cloud data services encryption
- Certificate management
For each of these options, you need to define processes, controls, and policies for how to implement them.
Data encryption and key management
First, let’s look at IBM Cloud’s capabilities for encrypting data at rest. Customers should be able to encrypt their data stored in IBM Cloud and manage their own keys – across all supported data and storage services.
IBM Cloud solutions offer key management capabilities and support for file, block, object store, and database-level encryption. As part of key management, we will describe support for hardware security modules (HSM) for greater security.
Figure 1 shows IBM Cloud’s encryption capabilities for data at rest.
When creating a cloud solution with strict data security, you should consider the following:
- The type of data that a customer uses determines their encryption needs
- Different data storage types, including files, objects, databases, data services, and block
- Key management – and especially customer-managed keys and hardware key stores
To address a wide range of application and business requirements, IBM Cloud provides multiple options for encrypting data at rest. We provide encryption for block and file storage, encryption at the object level, encryption data services, and key management.
Figure 2 shows the different options:
IBM Cloud Data Encryption Services (ICDES)
IBM Cloud Data Encryption Services (ICDES) is a software-defined data protection solution that can be run in any public or private data center. ICDES is included in IBM SoftLayer®, IBM’s Infrastructure as a Service solution.
ICDES provide data-storage encryption capabilities with availability and fault tolerance to meet enterprise encryption requirements for data at rest. This solution can be used in a public, private, hybrid, or on-premises cloud environments.
- Built-in key management: A built-in key management system eliminates the need for expensive bulk key storage systems and allows for the enhanced security of unique encryption keys at the granularity of a file. With ICDES, you determine what folders or files to protect (encrypt) and your desired level of resiliency. With the VMware version, you can create a secure data store with vCenter access.
- Ease of use:ICDES bring together a unique combination of random cryptographic-splitting and data encryption into an easy-to-use, FIPS 140-2 certified solution. It supports regulatory compliance for HIPAA, FISMA, Sarbanes-Oxley, EUDPD, and PCI.
- Speed and performance: ICDES software works at the kernel level of the server on which it is deployed. Additionally, it takes full advantage of the AES-NI hardware acceleration that is available in most new processors. So, compared to encryption solutions that work at the non-kernel level of a server, ICDES performance is exceptionally better.
- Permissions support: ICDES works seamlessly with the existing authentication and authorization system in place. It works seamlessly with Active Directory and LDAP. So,user permissions and access methods and policies remain the same when ICDES is set up. ICDES has local user authentication for administrators.
- Disaster recovery: ICDES supports disaster recovery. It allows data to be split across data centers in different geographies. So, if a data center is lost due to a disaster, the data can still be accessed.
IBM Key Protect
In IBM® Bluemix® Public environments, Key Management Services are provided by a component called IBM Key Protect. This component is a cloud-based, multi-tenant key management service that gives the customers ownership of the encryption process in their environment. Key Protect is based on OpenStack Barbican, which provides a REST API for secure storage, provisioning and management of cryptographic keys, X.509 certificates and passwords.
IBM Key Protect enables customers to encrypt sensitive data at rest and easily create and manage the entire lifecycle of cryptographic keys that are used to encrypt data. Encrypting data enables customers to store their data in the cloud and protect it from theft and compromise. Since the keys remain in possession of the customer, the data is protected from cloud service providers as well as from other users.
Cloud-based hardware security modules (HSM)
The solution provides cloud-based hardware security modules (HSM). The comprehensive key management solution is standards-based and enables customers to meet regulatory requirements and data security governance.
In this context, a user’s secret key is encrypted with the HSM’s encryption key (wrapped). The user’s secret key never leaves the HSM, while the encrypted version of this secret key is retained outside the HSM by the user and is an index to the actual secret key in the HSM. When a user needs to perform a cryptographic operation using this key, the encrypted version of the key is used to refer to the actual secret key stored in the HSM where all the cryptographic operations are performed.
In this way, a user’s secret key never leaves the HSM. The HSMs are certified to FIPS 140-2 level 2. Once keys are deleted, they cannot be recovered, and any data encrypted using these keys can no longer be decrypted.
How Key Protect works
IBM Key Protect provides an API so customers can programmatically integrate their applications with the component. The API is for general use and does not require specialized skills to use.
Mutual authentication and Transport Layer Security (TLS) secure API calls. With IBM Key Protect, you can create keys for your applications from a user interface as well. You can select the key type, algorithm, and strength of the key from a drop-down that requires minimal knowledge of cryptography to use. Alternately, you can import a key that you have created on your own.
IBM key support is presently available in Bluemix Public. Where a key is created, a service credential is generated with information to configure your application to communicate with Keystone and Barbican.
IBM Key Protect currently supports use of the Barbican API only for /v1/orders and /v1/secrets. Other Barbican capabilities are not supported. Refer to the Bluemix documentation for more information about Getting Started with Key Protect (Beta).
Object store encryption using IBM Cleversafe
IBM Cleversafe is a cloud platform storage system that can scale to provide storage for petabytes of data per customer. Cleversafe can be deployed on-premises, off-premises, or in hybrid cloud environments. Cleversafe customers have production deployments exceeding 100 petabytes of capacity,and the ability to scale to exabytes without compromising reliability, availability, or manageability.
Cleversafe provides built-in encryption of data at rest and in motion. Data is encrypted in motion using TLS and at rest using Cleversafe SecureSlice encryption. SecureSlice can be configured to encrypt data using AES or RC4 along with hashing for data integrity.
Cleversafe supports the following combinations of encryption and data integrity algorithms:
- RC4-128 encryption with MD5-128 Hash for data integrity
- AES-128 encryption with MD5-128 Hash for data integrity
- AES-256 encryption with SHA-256 Hash for data integrity
In addition to encrypting data at rest, for additional security, Cleversafe ensures that no copy of the data resides in any single disk, node, or location. For flexible data and management access, Cleversafe supports multiple authentication methods:
- Username and password (internally managed)
- Active Directory or OpenLDAP server
- S3 Secret Access Key
- OpenStack Keystone Identity Service
- Public Key Infrastructure (PKI) certificate and private key
A user may authenticate using multiple mechanisms from the ones listed above, for example, a username and password as well as proof of possession of a private key corresponding to an x509 v3 certificate.
Cloud data services encryption
Cloud data services provide managed services for data and analytics. These data services meet the needs of application developers, data scientists, and IT architects with data intensive needs. For example, application developers need database technologies to power their applications, or data scientists need analytics tools to rapidly analyze data from social media and spend less time managing the infrastructure for storing the data.
The following IBM products offer cloud data services protection and encryption.
- Cloud Data warehouse
IBM dashDB™ is a cloud data warehouse service and is available in both Bluemix (public) and Cloudant®. Data at rest in dashDB is encrypted automatically using Advanced Encryption Standard (AES) in Cipher-Block Chaining (CBC) mode with a 256-bit key.
Encryption and key management are totally transparent to applications and schemas. Additionally, the client has the option to indicate, upon provisioning, the master key rotation period. The default is 90 days, but the client may choose a different value. The master key rotation is automatic and transparent.
Database and table-space backup images are automatically compressed and encrypted. Additionally, backup images are also encrypted using AES in CBC mode with 256-bit keys.
- Cloudant NoSQL DB
Cloudant is a NoSQL database as a service (DBaaS) that can handle a wide variety of data types like JSON, full-text, and geospatial. You can mark all data at rest in a Cloudant cluster to be encrypted by default. Additionally, encryption at the level of a document can be done at the application level.
Cloudant is available on Bluemix in a shared environment where users are provided accounts on a shared Cloudant Cluster. Cloudant is also available in a dedicated environment where a customer can get a dedicated Cloudant cluster.
- IBM DB2 on Cloud
IBM DB2® on Cloud has the same security features as on-premises editions of DB2. It includes in-flight and at rest data encryption and meets ISO 27001, PCI-DSS, SOC2, HIPAA and other data protection standards. So, if your DB2 instances are in the cloud, you can configure DB2 with data encryption.
PostgreSQL provides cryptographic function in a module called pgcrypto that can be used for data integrity and data encryption. For verifying data integrity, use pgcrypto hash functions to compute a binary hash of given data. PostgreSQL supports SHA-256 and SHA-512.
Additionally, in PostgreSQL, you can select to encrypt certain columns in your database table by using the pgcrypto modules to enable the usage of the crypt() procedure in the SQL statements. Symmetric and asymmetric key encryption functions are implemented.
Data integrity refers to maintaining and assuring the accuracy and consistency of data over its entire lifecycle. Let’s define what we mean by data integrity. In our context, data integrity refers to protecting information from outside tampering.
Hashing data allows you to detect that unauthorized modifications have been made into data. This data protection is provided for data at rest (e.g., rows in the tables of a database) or for data in motion. For example, when data is stored in a database, we can generate a hash for the row of a table in the database and securely store the hash value. If a row is tampered with by modifying a field in the row, a comparison with the previously generated hash value will indicate data has been tampered with.
In the context of databases, data integrity can refer to entity integrity or referential integrity. Entity integrity relates to primary keys and the integrity rule that every database table must have a primary key which should be unique and not null. Referential integrity refers to the integrity of relationships between database tables when any updates are made to these tables. Referential integrity involves the concept of a foreign key.
In the Bluemix catalog, database-related services will have built-in data integrity capabilities.
In Cleversafe, the following combinations of encryption and data integrity algorithms are supported:
- RC4-128 encryption with MD5-128 Hash for data integrity
- AES-128 encryption with MD5-128 Hash for data integrity
IBM DB2 in the Cloud has the same enterprise-class data integrity controls in place as IBM DB2. It provides entity and referential integrity.
Digital certificates are vital to implementing a security environment in which two parties who need to communicate securely are able to authenticate identities, send confidential messages to each other, or generate digital signatures.
To understand digital certificates, you need to understand a few basic concepts about public key cryptographic systems. In a public key cryptographic system, a pair of related cryptographic keys are used – one for encryption and the other for decryption. One key, the private key, is kept secret and securely in the possession of owner A. The other key, the public key, is provided to anybody wishing to communicate with owner A.
Public key cryptosystems may be used in one of two modes:
- Encryption mode: Suppose Bob has a public and private key pair. Anybody wishing to send a confidential message to Bob can use his public key to encrypt the message. Since only Bob possesses the corresponding private key, no one other than Bob can decrypt the message
- Authentication mode: Bob encrypts a message using his private key and mails it. Anybody in possession of his public key is able to decrypt the message. The message in this case is not confidential since anybody with the public key can decrypt it using Bob’s public key. However, since only Bob’s public key can be used to successfully decrypt the message, the recipients can be certain that the message is from Bob. Bob cannot deny that the message was signed by him. The authentication mode forms the basis for digital signatures.
The public key of a public-private key pair must be made available to other users. This public key is made available in a digitally signed document called a certificate.
A certificate, among other things, contains a user’s name and a user’s public key, digitally signed by a certification authority, which is an entity that issues digital certificates and is part of a certificate management system.
At a high level, a certificate management system provides services for automated certificate management. This includes managing, issuing, and revoking digital certificates for various entities such as users, websites, applications, and devices like servers and mobile devices. Using a cloud-based certificate management system allows businesses to focus on developing their core business applications to meet their customers’ needs.
IBM Bluemix users with a pay-as-you-go or subscription plan are entitled to four free certificate uploads. Bluemix users with a free trial account are entitled to one free certificate upload.
Before you can upload certificates, you must create a certificate-signing request to send to a third-party certification authority, which will issue the certificate. IBM Cloud does not provide a certification authority. Organizations can also generate self-signed certificates for testing.
When ordering certificates from third parties, consider the business context in which the certificate will be used to decide on the level of certification needed for issued certificates. For example, websites that provide e-commerce or financial transactions need the highest level of validation for issued certificates.
Bluemix and IBM SoftLayer gives you the option of ordering domain-validated, organization-validated, or extende- validation certifications from different vendors. In domain-validated certificates, the domain for which the certificate is issued is verified and the certificate is issued through automated processes. No check is made regarding the organization requesting the certificate. These certificates should not be used on a website conducting e-commerce or financial transactions.
In organization-validated certificates, the certificate contains the verified name of the entity that controls the website for which the certificate has been issued. This kind of certificate is recommended for websites conducting e-commerce or financial transactions.
Extended-validation certificates are issued after even more extensive validation and provide a higher level of assurance than organization validated certificates.
Other considerations for the type of certificate to request includes the length of the asymmetric key pair generated for the certificate and the duration for which certificate is valid. You should select 1024 bit or 2048 bit keys, with 2048 bit keys being more secure and being the only option for extended validation certificates. Certificates should be set to expire within a year or two.
Data classification and data activity monitoring
Data classification and data activity monitoring are two effective methods to help secure critical information.
Before you can adequately protect sensitive data, you must identify and classify its existence. Automating the discovery and classification process is a critical component to a data protection strategy to prevent a breach of sensitive data. IBM Guardium provides integrated data classification capabilities and a seamless approach to finding, classifying, and protecting your most critical data, whether in the cloud or in the data center.
Activity monitoring provides you with visibility into not only who is accessing sensitive information, but also what information is being accessed, creating alerts when certain conditions are met, and even blocking or quarantining connections where warranted.
IBM dashDB, available with both IBM Bluemix and Cloudant, includes Guardium classification and continuous-monitoring capabilities, and is available through the dashDB console. Via the console, three reports are available:
- The Sensitive Data Report shows you what sensitive data is in your database, such as credit card numbers.
- The Database Connections Report gives you details above who is connecting to and accessing your database.
- The Activity Report gives you a detailed look at the activity in your database, such as which objects are being accessed.
Data privacy and regulations
Data privacy controls how information (particularly about individuals) is collected, used, shared, and disposed of, in accordance with policies or external laws and regulations.
In the European Union and other jurisdictions, data privacy is also known as data protection. For purposes of this article, we refer to the term as “privacy.”
Technical and organizational security and privacy measures are implemented for each cloud service in compliance with IBM policy. These measures are implemented according to the cloud service’s architecture, intended use, and the type of service provided. The image below shows the general division of responsibility within each service type.
With IBM cloud services, IBM SoftLayer (IaaS) clients are responsible for the applications, content, runtimes, middleware, and operating systems they deploy on the IaaS solution. This includes the implementation and management of data security and privacy measures that are not physical.
Bluemix (PaaS) clients manage the applications and content they deploy on the PaaS solution, including the implementation and management of data security and privacy measures for their applications and data.
SaaS clients continue to manage their end user accounts, appropriate use of the IBM SaaS offering, and the data they process pursuant to the terms of the cloud service agreement. Given their own requirements, SaaS clients are responsible for assessing the suitability of the standard data security and privacy measures that IBM implements.
IBM’s specific management responsibilities for each cloud service, regardless of type, are set out in the relevant offering agreement. The data security and privacy measures designed to, among other things, defend IBM cloud services against such risks as accidental loss, unauthorized access, and unauthorized use of client data are incorporated into each service description, including any configurable options and services that may be available.
For more information, read the Data Security and Privacy Principles document (PDF), which describes the overarching IBM policies and practices that are incorporated into each service description.